Yesterday, a vulnerability in bash was announced, that was originally found by Stephane Schazelas. The vulnerability allows for arbitrary code execution in bash by setting specific environment variables. Later Travis Ormandy released a second exploit that will work on patched systems. Demonstration that the patch released yesterday is incomplete.
The SANS Internet Storm Center have prepared a short video with details:
More details and instructions: